IP白名單配置
配置文件
###
# IP白名單配置,多個IP的使用分號分隔
# 示例:
# > 1.168.1.1 設置單個IP的白名單
# > 192.* 設置ip通配符,對一個ip段進行匹配
# > 192.168.3.17-192.168.3.38 設置一個IP范圍
# > 255.168.4.0/24 設置一個網段
##
# 預算接口IP白名單(匯聯易使用)
budget_interface_ip_white_list=1.168.1.*
配置類
package com.Interface.util;
import java.io.IOException;
import java.util.Properties;
import org.apache.commons.io.Charsets;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.core.io.support.EncodedResource;
import org.springframework.core.io.support.PropertiesLoaderUtils;
/**
* <p>Description: IP白名單配置</p>
* <p>Copyright: Copyright (c) 2021</p>
* <p>Company: TranzVision, Co. Ltd.</p>
* @author ZhangLang
* Create Time: 2021年12月9日 下午2:53:38
*/
public class IpWhiteConfig {
// IP白名單,默認允許所有IP
private String ipWhiteList = "*";
/**
* IP白名單配置
* @param property 配置屬性
*/
public IpWhiteConfig(String property) {
//從配置文件中讀取BPM數據庫配置信息
Resource resource = new ClassPathResource("conf/IPWhiteConfig.properties");
EncodedResource encodedResource = new EncodedResource(resource, Charsets.UTF_8);
try {
Properties ipProps = PropertiesLoaderUtils.loadProperties(encodedResource);
if(ipProps.containsKey(property) == true) {
ipWhiteList = ipProps.getProperty(property);
}
} catch(IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* @return 返回IP白名單列表
*/
public String getIpWhiteList() {
return ipWhiteList;
}
}
IP白名單校驗
校驗類
package com.Interface.util;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
/**
* <p>Description: IP白名單校驗</p>
* <p>Copyright: Copyright (c) 2021</p>
* <p>Company: TranzVision, Co. Ltd.</p>
* @author ZhangLang
* Create Time: 2021年12月9日 下午1:56:00
*
* 白名單設計關鍵:
* 包含多個規則,可以設計分隔符,分離規則字符串為多個規則列表,分割字符;,都可。
* 單個ip,和多個ip白名單匹配規則,只要判斷該規則中是否包含遠端ip字符即可,實現簡單如規則符:192.168.1.1;192.168.1.2
*
* ip范圍:范例規則字符-192.168.1.1-192.168.1.15
* 即ip在 192.168.1.0/24 網段 1-15都為合法,默認為范圍閉區間
*
* 設計思路:
* ipv4 分為4段,每段范圍:0-255
* 所以首先找出范圍ip不同部分所在的段,然后依據ip划分規則,計算
*
* 例如 192.168.0.0-192.168.2.15
*
* 包含 網段 192.168.0.0 -192.168.0.255,192.168.1.0-192.168.1.255,192.168.2.0-192.168.2.15
* 所以只要在這個范圍中ip都是合法的
*
* 網段地址如何判斷尼,請觀察 網段地址規則,例如192.168.31.0/24
* 網絡地址/網絡位數
* 網絡地址:192.168.31.0
* 子網掩碼:255.255.255.0
* 測試ip:192.168.31.1
* 網絡地址=ip&子網
* 所以判斷一個ip是否屬於一個網段可以通過ip和子網相與得到網絡地址,如果和白名單中網絡地址相同,則允許訪問
*
*/
public class IpWhiteCheckUtil {
// IP的正則
private static Pattern pattern = Pattern
.compile("(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\." + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\."
+ "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})\\." + "(1\\d{1,2}|2[0-4]\\d|25[0-5]|\\d{1,2})");
private static final String DEFAULT_ALLOW_ALL_FLAG = "*"; // 允許所有ip標志位
private static final String DEFAULT_DENY_ALL_FLAG = "0"; // 禁止所有ip標志位
/**
* Description: 獲取訪問的ip地址
* @param request
* @return
*/
public static String getIpAddr(HttpServletRequest request) {
String ip = request.getHeader("X-Forwarded-For");
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("WL-Proxy-Client-IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_CLIENT_IP");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
}
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
if ("0:0:0:0:0:0:0:1".equals(ip)) {
ip = "127.0.0.1";
}
return ip;
}
/**
* 根據IP白名單設置獲取可用的IP列表
* @param allowIp
* @return
*/
private static Set<String> getAvaliIpList(String allowIp) {
String[] splitRex = allowIp.split(";");// 拆分出白名單正則
Set<String> ipList = new HashSet<String>(splitRex.length);
for (String allow : splitRex) {
allow = allow.trim();
if (allow.contains("*")) {// 處理通配符 *
String[] ips = allow.split("\\.");
String[] from = new String[] { "0", "0", "0", "0" };
String[] end = new String[] { "255", "255", "255", "255" };
List<String> tem = new ArrayList<String>();
for (int i = 0; i < ips.length; i++)
if (ips[i].indexOf("*") > -1) {
tem = complete(ips[i]);
from[i] = null;
end[i] = null;
} else {
from[i] = ips[i];
end[i] = ips[i];
}
StringBuilder fromIP = new StringBuilder();
StringBuilder endIP = new StringBuilder();
for (int i = 0; i < 4; i++)
if (from[i] != null) {
fromIP.append(from[i]).append(".");
endIP.append(end[i]).append(".");
} else {
fromIP.append("[*].");
endIP.append("[*].");
}
fromIP.deleteCharAt(fromIP.length() - 1);
endIP.deleteCharAt(endIP.length() - 1);
for (String s : tem) {
String ip = fromIP.toString().replace("[*]", s.split(";")[0]) + "-"
+ endIP.toString().replace("[*]", s.split(";")[1]);
if (validate(ip)) {
ipList.add(ip);
}
}
} else if (allow.contains("/")) {// 處理 網段 xxx.xxx.xxx./24
ipList.add(allow);
} else {// 處理單個 ip 或者 范圍
if (validate(allow)) {
ipList.add(allow);
}
}
}
return ipList;
}
/**
* 對單個IP節點進行范圍限定
* @param arg
* @return 返回限定后的IP范圍,格式為List[10;19, 100;199]
*/
private static List<String> complete(String arg) {
List<String> com = new ArrayList<String>();
int len = arg.length();
if (len == 1) {
com.add("0;255");
} else if (len == 2) {
String s1 = complete(arg, 1);
if (s1 != null)
com.add(s1);
String s2 = complete(arg, 2);
if (s2 != null)
com.add(s2);
} else {
String s1 = complete(arg, 1);
if (s1 != null)
com.add(s1);
}
return com;
}
private static String complete(String arg, int length) {
String from = "";
String end = "";
if (length == 1) {
from = arg.replace("*", "0");
end = arg.replace("*", "9");
} else {
from = arg.replace("*", "00");
end = arg.replace("*", "99");
}
if (Integer.valueOf(from) > 255)
return null;
if (Integer.valueOf(end) > 255)
end = "255";
return from + ";" + end;
}
/**
* 在添加至白名單時進行格式校驗
* @param ip
* @return
*/
private static boolean validate(String ip) {
String[] temp = ip.split("-");
for (String s : temp)
if (!pattern.matcher(s).matches()) {
return false;
}
return true;
}
/**
* 根據IP,及可用Ip列表來判斷ip是否包含在白名單之中
* @param ip
* @param ipList
* @return
*/
private static boolean isPermited(String ip, Set<String> ipList) {
if (ipList.isEmpty() || ipList.contains(ip))
return true;
for (String allow : ipList) {
if (allow.indexOf("-") > -1) {// 處理 類似 192.168.0.0-192.168.2.1
String[] tempAllow = allow.split("-");
String[] from = tempAllow[0].split("\\.");
String[] end = tempAllow[1].split("\\.");
String[] tag = ip.split("\\.");
boolean check = true;
for (int i = 0; i < 4; i++) {// 對IP從左到右進行逐段匹配
int s = Integer.valueOf(from[i]);
int t = Integer.valueOf(tag[i]);
int e = Integer.valueOf(end[i]);
if (!(s <= t && t <= e)) {
check = false;
break;
}
}
if (check)
return true;
} else if (allow.contains("/")) {// 處理 網段 xxx.xxx.xxx./24
int splitIndex = allow.indexOf("/");
// 取出子網段
String ipSegment = allow.substring(0, splitIndex); // 192.168.3.0
// 子網數
String netmask = allow.substring(splitIndex + 1);// 24
// ip 轉二進制
long ipLong = ipToLong(ip);
//子網二進制
long maskLong=(2L<<32 -1) -(2L << Integer.valueOf(32-Integer.valueOf(netmask))-1);
// ip與和子網相與 得到 網絡地址
String calcSegment = longToIP(ipLong & maskLong);
// 如果計算得出網絡地址和庫中網絡地址相同 則合法
if(ipSegment.equals(calcSegment))return true;
}
}
return false;
}
/**
* 根據IP地址,及IP白名單設置規則判斷IP是否包含在白名單
* @param ip
* @param ipWhiteConfig
* @return
*/
public static boolean isPermited(String ip, String ipWhiteConfig) {
if (null == ip || "".equals(ip) || null == ipWhiteConfig)
return false;
//ip格式不對
if(!pattern.matcher(ip).matches()) return false;
if (DEFAULT_ALLOW_ALL_FLAG.equals(ipWhiteConfig))
return true;
if (DEFAULT_DENY_ALL_FLAG.equals(ipWhiteConfig))
return false;
Set<String> ipList = getAvaliIpList(ipWhiteConfig.replaceAll(";", ";"));
return isPermited(ip, ipList);
}
private static long ipToLong(String strIP) {
long[] ip = new long[4];
// 先找到IP地址字符串中.的位置
int position1 = strIP.indexOf(".");
int position2 = strIP.indexOf(".", position1 + 1);
int position3 = strIP.indexOf(".", position2 + 1);
// 將每個.之間的字符串轉換成整型
ip[0] = Long.parseLong(strIP.substring(0, position1));
ip[1] = Long.parseLong(strIP.substring(position1 + 1, position2));
ip[2] = Long.parseLong(strIP.substring(position2 + 1, position3));
ip[3] = Long.parseLong(strIP.substring(position3 + 1));
return (ip[0] << 24) + (ip[1] << 16) + (ip[2] << 8) + ip[3];
}
// 將10進制整數形式轉換成127.0.0.1形式的IP地址
private static String longToIP(long longIP) {
StringBuilder sb = new StringBuilder("");
// 直接右移24位
sb.append(String.valueOf(longIP >>> 24));
sb.append(".");
// 將高8位置0,然后右移16位
sb.append(String.valueOf((longIP & 0x00FFFFFF) >>> 16));
sb.append(".");
sb.append(String.valueOf((longIP & 0x0000FFFF) >>> 8));
sb.append(".");
sb.append(String.valueOf(longIP & 0x000000FF));
return sb.toString();
}
public static void main(String[] args) {
String ipWhilte = "1.168.1.1;" //設置單個IP的白名單 //
+ "192.*; " //設置ip通配符,對一個ip段進行匹配
+ "192.168.3.17-192.168.3.38; " //設置一個IP范圍
+ "25.168.4.0/24 "; //設置一個網段
IpWhiteConfig ipWhiteConfig = new IpWhiteConfig("budget_interface_ip_white_list");
ipWhilte = ipWhiteConfig.getIpWhiteList();
System.out.println(IpWhiteCheckUtil.isPermited("187.122.0.168",ipWhilte));//true
}
}
調用示例
// 獲取訪問IP
String ip = IpWhiteCheckUtil.getIpAddr(request);
// 從配置文件中獲取IP白名單列表
IpWhiteConfig ipWhiteConfig = new IpWhiteConfig(IP_WHITE_CONFIG_PROPERTY);
String ipWhiteList = ipWhiteConfig.getIpWhiteList();
// 校驗IP
if(!IpWhiteCheckUtil.isPermited(ip, ipWhiteList)) {
throw new Exception("您的訪問IP["+ ip +"]不在IP白名單內,請聯系管理員配置");
}
